Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Amazon Users Targets of Massive Locky Spear-Phishing Campaign

Researchers tracked a Locky ransomware and spam attack that spoofed an Amazon shipping email that included an estimated 100 million sent missives.

Amazon customers were targeted in a massive spear phishing campaign where recipients received Microsoft Word documents with a macro that triggered downloads of the Locky ransomware. Researchers at Comodo Threat Research Labs say it is one of the largest spam ransomware campaigns this year.

Fatih Orhan, director of technology at Comodo and the Comodo Threat Research Labs, said the attack occurred on May 17 and lasted about 12 hours and is estimated to have pushed out as many as 30 million spam messages purporting to be an update from Amazon on a shipping order. Orhan told Threatpost the spear phishing campaign is notable not just because of its size, but also because the attackers were able to manipulate the email header to trick users. This method would be detected by controls on email gateways with sender policy framework (SPF) enabled.

The wave of malicious messages was also spotted by researchers at Proofpoint, who put the estimate of fake Amazon messages at 100 million emails. Proofpoint said the Locky ransomware attack was spread from the U.S. to European email servers and included the malicious Word document attachment but also Locky-laced JavaScript attachments.

Orhan said everything about the email header appeared legitimate to the email recipient, Orhan said. According to Comodo researchers the spam campaign recipients received emails from auto-shipping@amazon.com, with the subject, “Your Amazon.com order has dispatched (#code).” The body of the email messages was blank however with only a malicious Microsoft Word document attached to the message body. Those who opened the Word document were prompted to enable macros to view the document’s contents. Next, recipients who enabled the macros had the Locky ransomware download, install and encrypt files.

The Locky ransomware email campaign is not unique and is something security firms have been documenting since the beginning of 2016. Security researchers at Trustwave reported in March a huge spike in the Locky ransomware being distributed via a spam campaign with the payload delivered via JavaScript attachments. The Amazon ransomware attack also follows another trend when it comes to a resurgence in the use of Microsoft Office macro attacks.

According to Palo Alto, macro attacks are on the rise. “We suspect that macro-based attacks are experiencing a resurgence from the late 1990s. There are a whole new pool of victims that don’t remember how dangerous macros were and are learning the hard way to never trust macros unless sent from a 100 percent reliable source,” said Ryan Olson, researcher at Palo Alto Networks in an interview with Threatpost last week.

Comodo Threat Research Labs said the Amazon spam campaign involved spam Botnets running on hijacked virtual machines and from consumer PCs. Ransoms ranged on average between 0.5 to 1 bitcoins ($227 to $454 USD) for the email recipients of the ransomware.

“This group of unknown actors demonstrated a high level of technical email forging capabilities, especially when it comes to domain name forging,” Orhan said. “The recipients that would get these emails had no clue that this email was not from Amazon.” He said that the email campaign, while targeting Amazon customers, did not exclusively use emails of just Amazon customers and that the wave of spam hoped to entice any user to click on the Word attachment.

When asked if Amazon customers had reported incidents of this attack, Amazon did not return Threatpost’s request for comment. Comodo Threat Research Labs said there is no way to tell how many people may have fallen victim to the combo ransomware spam attack.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.